ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Automation Tester

v1.0.0

Professional automation testing career roadmap generation platform that creates personalized learning paths based on experience, skills, and career goals.

0· 53·0 current·0 all-time
byToolWeb@krishnakumarmahadevan-cmd
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description and OpenAPI schema consistently describe a roadmap-generation API and sample request/response shapes, so the claimed capability aligns with the files present. However, the skill provides no server/base URL and no declared authentication even though pricing and external links imply a hosted, paid API—that omission reduces coherence.
!
Instruction Scope
SKILL.md is documentation-style and does not instruct the agent to read local files or secrets, which is good. But it references external domains (toolweb.in, portal.toolweb.in, a truncated Kong route) and does not tell the agent which endpoint to call or how to authenticate. The lack of concrete runtime instructions (base URL, auth headers, or how to obtain credentials) is an important gap and could hide assumptions about where data is sent.
Install Mechanism
This is an instruction-only skill with no install spec and no code files, so nothing is written to disk or automatically installed. That minimizes installation risk.
!
Credentials
The skill declares no required environment variables or credentials. Given the pricing tiers and references to an external API host, one would normally expect an API key or token to be required. The absence of declared credentials is disproportionate to the apparent purpose (a hosted API) and leaves unclear how calls would be authenticated or where data would be sent.
Persistence & Privilege
The skill does not request persistent presence (always:false) and does not claim to modify agent or system configuration. Normal autonomous invocation is allowed but not combined with other privilege escalations.
What to consider before installing
This package reads like API documentation rather than a fully-configured skill. Before installing or using it, ask the author for: (1) the API base URL(s) the skill will call, (2) authentication requirements and how to supply credentials (API key, token), and (3) a privacy/security statement describing what user data is sent and stored. If you must test it, do so with non-sensitive/sample data in a sandbox. Prefer skills that explicitly declare required environment variables and server endpoints so you can verify where your data will go. If the author cannot justify why no auth is needed despite paid plans and external links, treat the skill as untrustworthy.

Like a lobster shell, security has layers — review code before you run it.

latestvk974txqsqmy35m1nmatf1gxcfh83h3ad

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments